crowdsec-local-mcp 0.1.0__tar.gz

crowdsec_local_mcp-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 crowdsec
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

crowdsec_local_mcp-0.1.0/MANIFEST.in

@@ -0,0 +1,3 @@
+recursive-include src/crowdsec_local_mcp/prompts *.txt
+recursive-include src/crowdsec_local_mcp/compose *
+recursive-include src/crowdsec_local_mcp/yaml-schemas *.yaml

crowdsec_local_mcp-0.1.0/PKG-INFO

@@ -0,0 +1,93 @@
+Metadata-Version: 2.4
+Name: crowdsec-local-mcp
+Version: 0.1.0
+Summary: An MCP exposing prompts and tools to help users write WAF rules, scenarios etc.
+Requires-Python: >=3.12
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: jsonschema>=4.25.1
+Requires-Dist: mcp>=1.15.0
+Requires-Dist: pyyaml>=6.0.3
+Requires-Dist: requests>=2.32.5
+Dynamic: license-file
+
+<p align="center">
+<img src="https://github.com/crowdsecurity/crowdsec-docs/blob/main/crowdsec-docs/static/img/crowdsec_logo.png" alt="CrowdSec" title="CrowdSec" width="400" height="260"/>
+</p>
+
+
+**Life is too short to write YAML, just ask nicely!**
+
+> A Model Context Protocol (MCP) server to generate, validate, and deploy CrowdSec WAF rules & Scenarios.
+
+
+## Features
+
+### WAF Rules Features
+
+- **WAF Rule Generation**: Generate CrowdSec WAF rules from user input or a CVE reference
+- **Validation**: Validate syntaxical correctness of WAF rules
+- **Linting**: Get warnings and hints to improve your WAF rules
+- **Deployment Guide**: Step-by-step deployment instructions
+- **Docker Test Harness**: Spin up CrowdSec + nginx + bouncer to exercise rules for false positives/negatives
+- **Nuclei Lookup**: Quickly jump to existing templates in the official `projectdiscovery/nuclei-templates` repository for a given CVE
+
+### Scenarios Features
+
+- **CrowdSec Scenarios Generation**: Generate CrowdSec scenarios
+- **Validation**: Validate syntaxical correctness of scenarios
+- **Linting**: Get warnings and hints to improve your scenarios
+- **Deployment Guide**: Step-by-step deployment instructions
+- **Docker Test Harness**: Spin up CrowdSec to test scenario behavior
+
+## Demo
+
+### WAF Rules Creation and testing
+
+ - [Rule creation from natural language with Claude Desktop](https://claude.ai/share/f0f246b2-6b20-4d70-a16c-c6b627ab2d80)
+ - [Rule creation from CVE reference](https://claude.ai/share/b6599407-82dd-443c-a12d-9a9825ed99df)
+
+### Scenario Creation and testing
+
+ - XX
+ - XX
+
+## Installation
+
+### Setup
+
+Install dependencies using `uv`:
+```bash
+uv sync
+```
+
+## Configuration for Claude Desktop
+
+### macOS/Linux
+
+1. Find your Claude Desktop config file:
+   - macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+   - Linux: `~/.config/Claude/claude_desktop_config.json`
+
+2. Add the MCP server configuration:
+```json
+{
+  "mcpServers": {
+    "crowdsec-prompt-server": {
+      "command": "/path/to/crowdsec-mcp-rule-helper/.venv/bin/python",
+      "args": [
+        "/path/to/crowdsec-mcp-rule-helper/mcp-prompt.py"
+      ],
+      "cwd": "/path/to/crowdsec-mcp-rule-helper"
+    }
+  }
+}
+```
+
+**Important**: Replace `/path/to/crowdsec-mcp-rule-helper` with the actual absolute path to your cloned repository.
+
+## Pre Requisites
+
+ - Docker + Docker Compose
+
+ - Python

crowdsec_local_mcp-0.1.0/README.md

@@ -0,0 +1,80 @@
+<p align="center">
+<img src="https://github.com/crowdsecurity/crowdsec-docs/blob/main/crowdsec-docs/static/img/crowdsec_logo.png" alt="CrowdSec" title="CrowdSec" width="400" height="260"/>
+</p>
+
+
+**Life is too short to write YAML, just ask nicely!**
+
+> A Model Context Protocol (MCP) server to generate, validate, and deploy CrowdSec WAF rules & Scenarios.
+
+
+## Features
+
+### WAF Rules Features
+
+- **WAF Rule Generation**: Generate CrowdSec WAF rules from user input or a CVE reference
+- **Validation**: Validate syntaxical correctness of WAF rules
+- **Linting**: Get warnings and hints to improve your WAF rules
+- **Deployment Guide**: Step-by-step deployment instructions
+- **Docker Test Harness**: Spin up CrowdSec + nginx + bouncer to exercise rules for false positives/negatives
+- **Nuclei Lookup**: Quickly jump to existing templates in the official `projectdiscovery/nuclei-templates` repository for a given CVE
+
+### Scenarios Features
+
+- **CrowdSec Scenarios Generation**: Generate CrowdSec scenarios
+- **Validation**: Validate syntaxical correctness of scenarios
+- **Linting**: Get warnings and hints to improve your scenarios
+- **Deployment Guide**: Step-by-step deployment instructions
+- **Docker Test Harness**: Spin up CrowdSec to test scenario behavior
+
+## Demo
+
+### WAF Rules Creation and testing
+
+ - [Rule creation from natural language with Claude Desktop](https://claude.ai/share/f0f246b2-6b20-4d70-a16c-c6b627ab2d80)
+ - [Rule creation from CVE reference](https://claude.ai/share/b6599407-82dd-443c-a12d-9a9825ed99df)
+
+### Scenario Creation and testing
+
+ - XX
+ - XX
+
+## Installation
+
+### Setup
+
+Install dependencies using `uv`:
+```bash
+uv sync
+```
+
+## Configuration for Claude Desktop
+
+### macOS/Linux
+
+1. Find your Claude Desktop config file:
+   - macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+   - Linux: `~/.config/Claude/claude_desktop_config.json`
+
+2. Add the MCP server configuration:
+```json
+{
+  "mcpServers": {
+    "crowdsec-prompt-server": {
+      "command": "/path/to/crowdsec-mcp-rule-helper/.venv/bin/python",
+      "args": [
+        "/path/to/crowdsec-mcp-rule-helper/mcp-prompt.py"
+      ],
+      "cwd": "/path/to/crowdsec-mcp-rule-helper"
+    }
+  }
+}
+```
+
+**Important**: Replace `/path/to/crowdsec-mcp-rule-helper` with the actual absolute path to your cloned repository.
+
+## Pre Requisites
+
+ - Docker + Docker Compose
+
+ - Python

crowdsec_local_mcp-0.1.0/pyproject.toml

@@ -0,0 +1,28 @@
+[project]
+name = "crowdsec-local-mcp"
+version = "0.1.0"
+description = "An MCP exposing prompts and tools to help users write WAF rules, scenarios etc."
+readme = "README.md"
+requires-python = ">=3.12"
+dependencies = [
+    "jsonschema>=4.25.1",
+    "mcp>=1.15.0",
+    "pyyaml>=6.0.3",
+    "requests>=2.32.5",
+]
+
+[project.scripts]
+crowdsec-mcp = "crowdsec_local_mcp.__main__:run"
+
+[build-system]
+requires = ["setuptools>=69", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools]
+include-package-data = true
+
+[tool.setuptools.package-dir]
+"" = "src"
+
+[tool.setuptools.packages.find]
+where = ["src"]

crowdsec_local_mcp-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/__init__.py

@@ -0,0 +1,5 @@
+"""CrowdSec MCP package."""
+
+from .mcp_core import main
+
+__all__ = ["main"]

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/__main__.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+
+import asyncio
+
+from .mcp_core import LOGGER, main
+
+# Import modules for their registration side effects.
+from . import mcp_waf  # noqa: F401
+
+try:
+    from . import mcp_scenarios  # noqa: F401
+except ModuleNotFoundError:
+    LOGGER.warning("Scenario module not available; scenario tools disabled")
+
+
+def run() -> None:
+    """Entry-point used by console scripts."""
+    asyncio.run(main())
+
+
+if __name__ == "__main__":
+    run()

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/.gitignore

@@ -0,0 +1,3 @@
+# Generated at runtime by the MCP integration.
+rules/current-rule.yaml
+crowdsec/appsec-configs/mcp-appsec.yaml

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/crowdsec/acquis.d/appsec.yaml

@@ -0,0 +1,8 @@
+# Acquisition file registering the MCP-generated AppSec configuration.
+appsec_configs:
+ - mcp-appsec
+labels:
+  type: appsec
+listen_addr: 0.0.0.0:7422
+source: appsec
+name: myAppSecComponent

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/crowdsec/appsec-configs/mcp-appsec.yaml.template

@@ -0,0 +1,8 @@
+name: mcp-appsec
+default_remediation: ban
+inband_rules:
+  # Keep the CrowdSec base config to ensure essential protections remain active.
+  - crowdsecurity/base-config
+  # The MCP tooling copies the user rule into the custom directory as current-rule.yaml
+  ## XXX FIXME : make this a variable :)
+  - __PLACEHOLDER_FOR_USER_RULE__

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/crowdsec/init-bouncer.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -euo pipefail
+
+API_KEY="mcp-nginx-bouncer-test-key"
+BOUNCER_NAME="mcp-nginx-bouncer"
+
+/bin/bash /docker_start.sh "$@" &
+PID=$!
+trap 'kill "$PID" 2>/dev/null || true' EXIT
+
+for _ in $(seq 1 90); do
+    if cscli lapi status >/dev/null 2>&1; then
+        break
+    fi
+    sleep 2;
+done
+
+if ! cscli lapi status >/dev/null 2>&1; then
+    echo "CrowdSec LAPI did not become ready in time" >&2
+    wait "$PID"
+    exit 1
+fi
+
+cscli bouncers delete "$BOUNCER_NAME" >/dev/null 2>&1 || true
+cscli bouncers add "$BOUNCER_NAME" -k "$API_KEY"
+
+trap - EXIT
+wait "$PID"
+exit $?

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/docker-compose.yml

@@ -0,0 +1,68 @@
+version: "3.9"
+
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    hostname: crowdsec
+    container_name: crowdsec-appsec
+    restart: "no"
+    entrypoint:
+      - /bin/bash
+      - /usr/local/bin/init-bouncer.sh
+    environment:
+      # Ensure the local API stays accessible for the nginx bouncer.
+      - DISABLE_LOCAL_API=0
+      - DISABLE_ONLINE_API=1
+      # Turn on AppSec mode inside the CrowdSec container.
+      - ENABLE_APPSEC=1
+    volumes:
+      # Persist CrowdSec data (buckets, alerts, etc.) between restarts.
+      - crowdsec-data:/var/lib/crowdsec/data
+      # Allow templated acquisition and AppSec config overrides without replacing the whole /etc/crowdsec tree.
+      - ./crowdsec/acquis.d/appsec.yaml:/etc/crowdsec/acquis.d/appsec-mcp.yaml:ro
+      - ./crowdsec/appsec-configs/mcp-appsec.yaml:/etc/crowdsec/appsec-configs/mcp-appsec.yaml:ro
+      - ./crowdsec/init-bouncer.sh:/usr/local/bin/init-bouncer.sh:ro
+      # The MCP tooling will drop the user-provided rule in this folder as current-rule.yaml
+      - ./rules:/etc/crowdsec/appsec-rules/custom
+    ports:
+      - "18080:8080" # LAPI (use non-default host port to avoid conflicts)
+      - "17422:7422" # AppSec Live mode (non-default host port)
+    networks:
+      - waf-net
+
+  nginx:
+    build:
+      context: ./nginx
+    container_name: nginx-appsec
+    restart: "no"
+    depends_on:
+      - crowdsec
+      - backend
+    ports:
+      - "8081:80"
+    command:
+      - openresty
+      - -g
+      - 'daemon off;'
+    volumes:
+      - ./nginx/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf:ro
+      # Site config enabling the CrowdSec module and proxying to the backend.
+      - ./nginx/site-enabled:/usr/local/openresty/nginx/conf/site-enabled:ro
+      # Override the bouncer configuration shipped in the image with the harness version.
+      - ./nginx/crowdsec/crowdsec-openresty-bouncer.conf:/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf:ro
+    networks:
+      - waf-net
+
+  backend:
+    image: nginxdemos/hello:latest
+    container_name: app-backend
+    restart: unless-stopped
+    networks:
+      - waf-net
+
+volumes:
+  crowdsec-data:
+
+networks:
+  waf-net:
+    driver: bridge

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/nginx/Dockerfile

@@ -0,0 +1,67 @@
+
+FROM ubuntu:24.04
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    make \
+    software-properties-common \
+    wget \
+    gnupg \
+    ca-certificates \
+    gettext \
+    curl
+
+RUN wget -O - https://openresty.org/package/pubkey.gpg | apt-key add -
+RUN echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"| tee /etc/apt/sources.list.d/openresty.list
+RUN curl -s https://install.crowdsec.net |  bash
+
+RUN apt update
+
+RUN apt install -y openresty openresty-opm gettext-base
+
+RUN apt install -y crowdsec-openresty-bouncer
+
+
+
+EXPOSE 80
+
+
+# # Install the bouncer
+# COPY build.sh /build.sh
+# COPY start.sh /start.sh
+
+# RUN chmod +x /build.sh && /build.sh
+# RUN chmod +x /start.sh
+
+# # Set the script as the entrypoint
+# ENTRYPOINT ["/start.sh"]
+
+
+
+# FROM debian:bookworm
+
+# ENV DEBIAN_FRONTEND=noninteractive
+
+# # Install nginx with Lua module support and prerequisites for the CrowdSec nginx bouncer.
+# RUN set -eux; \
+#     apt-get update; \
+#     apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         curl \
+#         gnupg2 \
+#         iproute2 \
+#         libnginx-mod-http-lua \
+#         lsb-release \
+#         nginx \
+#         procps; \
+#     curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash; \
+#     apt-get install -y --no-install-recommends crowdsec-nginx-bouncer; \
+#     rm -rf /var/lib/apt/lists/*
+
+# # Prepare directories that will receive bind mounts at runtime.
+# RUN mkdir -p /etc/nginx/conf.d /etc/nginx/crowdsec
+
+# EXPOSE 80
+
+# CMD ["nginx", "-g", "daemon off;"]

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/nginx/crowdsec/crowdsec-openresty-bouncer.conf

@@ -0,0 +1,25 @@
+API_URL=http://crowdsec:8080
+API_KEY=mcp-nginx-bouncer-test-key
+BOUNCING_ON_TYPE=all
+FALLBACK_REMEDIATION=ban
+MODE=stream
+REQUEST_TIMEOUT=1000
+EXCLUDE_LOCATION=
+ENABLE_INTERNAL=false
+CACHE_EXPIRATION=1
+UPDATE_FREQUENCY=10
+BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/ban.html
+REDIRECT_LOCATION=
+RET_CODE=
+CAPTCHA_PROVIDER=
+SECRET_KEY=
+SITE_KEY=
+CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/captcha.html
+CAPTCHA_EXPIRATION=3600
+APPSEC_URL=http://crowdsec:7422
+APPSEC_FAILURE_ACTION=passthrough
+APPSEC_CONNECT_TIMEOUT=100
+APPSEC_SEND_TIMEOUT=100
+APPSEC_PROCESS_TIMEOUT=1000
+ALWAYS_SEND_TO_APPSEC=false
+SSL_VERIFY=true

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/nginx/nginx.conf

@@ -0,0 +1,25 @@
+
+worker_processes  auto;
+
+error_log  /dev/stderr info;
+pid        /tmp/nginx.pid;
+
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    resolver 127.0.0.11;
+
+    include       /usr/local/openresty/nginx/conf/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    access_log /dev/stdout;
+
+    include /usr/local/openresty/nginx/conf/conf.d/*.conf;
+    include /usr/local/openresty/nginx/conf/site-enabled/*.conf;
+}

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/nginx/site-enabled/default-site.conf

@@ -0,0 +1,15 @@
+# Auto-generated by MCP test harness. Route requests through AppSec and the CrowdSec bouncer.
+upstream backend_app {
+    server backend:80;
+}
+
+server {
+    listen 80;
+    server_name _;
+
+    location / {
+        proxy_pass http://backend_app;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}

crowdsec_local_mcp-0.1.0/src/crowdsec_local_mcp/compose/waf-test/rules/base-config.yaml

@@ -0,0 +1,11 @@
+name: crowdsecurity/base-config
+#### This file is intended to provide a basic configuration for coraza:
+#### - Set the body processors based on the content-type
+
+seclang_rules:
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^application/x-www-form-urlencoded" "id:100,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=URLENCODED"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^multipart/form-data" "id:101,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=MULTIPART"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^application/xml" "id:102,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=XML"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^application/json" "id:103,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=JSON"
+ - Secrule REQUEST_HEADERS:Content-Type "@rx ^text/xml" "id:104,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=XML"
+ - SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "id:105,phase:1,pass,nolog,noauditlog,ctl:requestBodyProcessor=RAW" #Use our custom RAW body processor, just to have REQUEST_BODY set